%global security_hardening none Summary: Kernel Name: linux-aws Version: 4.19.40 Release: 3%{?kat_build:.%kat_build}%{?dist} License: GPLv2 URL: http://www.kernel.org/ Group: System Environment/Kernel Vendor: VMware, Inc. Distribution: Photon Source0: http://www.kernel.org/pub/linux/kernel/v4.x/linux-%{version}.tar.xz %define sha1 linux=c04181c3736e5b85d349f9b58d406d4c18ad4958 Source1: config-aws Source2: initramfs.trigger Source3: update_photon_cfg.postun # common Patch0: linux-4.14-Log-kmsg-dump-on-panic.patch Patch1: double-tcp_mem-limits.patch # TODO: disable this patch, check for regressions #Patch2: linux-4.9-watchdog-Disable-watchdog-on-virtual-machines.patch Patch3: SUNRPC-Do-not-reuse-srcport-for-TIME_WAIT-socket.patch Patch4: SUNRPC-xs_bind-uses-ip_local_reserved_ports.patch Patch5: vsock-transport-for-9p.patch Patch6: 4.18-x86-vmware-STA-support.patch #HyperV patches Patch13: 0004-vmbus-Don-t-spam-the-logs-with-unknown-GUIDs.patch # TODO: Is CONFIG_HYPERV_VSOCKETS the same? #Patch23: 0014-hv_sock-introduce-Hyper-V-Sockets.patch #FIPS patches - allow some algorithms Patch24: 4.18-Allow-some-algo-tests-for-FIPS.patch Patch26: 4.18-add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch # Fix CVE-2017-1000252 Patch28: kvm-dont-accept-wrong-gsi-values.patch # Out-of-tree patches from AppArmor: Patch29: 4.17-0001-apparmor-patch-to-provide-compatibility-with-v2.x-ne.patch Patch30: 4.17-0002-apparmor-af_unix-mediation.patch Patch31: 4.17-0003-apparmor-fix-use-after-free-in-sk_peer_label.patch # RDRAND-based RNG driver to enhance the kernel's entropy pool: Patch32: 4.18-0001-hwrng-rdrand-Add-RNG-driver-based-on-x86-rdrand-inst.patch # Amazon AWS Patch101: 0002-watchdog-Disable-watchdog-on-virtual-machines.patch Patch102: 0004-bump-the-default-TTL-to-255.patch Patch103: 0005-bump-default-tcp_wmem-from-16KB-to-20KB.patch Patch105: 0009-drivers-introduce-AMAZON_DRIVER_UPDATES.patch Patch106: 0010-drivers-amazon-add-network-device-drivers-support.patch Patch107: 0011-drivers-amazon-introduce-AMAZON_ENA_ETHERNET.patch Patch108: 0012-Importing-Amazon-ENA-driver-1.5.0-into-amazon-4.14.y.patch Patch109: 0013-xen-manage-keep-track-of-the-on-going-suspend-mode.patch Patch110: 0014-xen-manage-introduce-helper-function-to-know-the-on-.patch Patch111: 0015-xenbus-add-freeze-thaw-restore-callbacks-support.patch Patch112: 0016-x86-xen-Introduce-new-function-to-map-HYPERVISOR_sha.patch Patch113: 0017-x86-xen-add-system-core-suspend-and-resume-callbacks.patch Patch114: 0018-xen-blkfront-add-callbacks-for-PM-suspend-and-hibern.patch Patch115: 0019-xen-netfront-add-callbacks-for-PM-suspend-and-hibern.patch Patch116: 0020-xen-time-introduce-xen_-save-restore-_steal_clock.patch Patch117: 0021-x86-xen-save-and-restore-steal-clock.patch Patch118: 0022-xen-events-add-xen_shutdown_pirqs-helper-function.patch Patch119: 0023-x86-xen-close-event-channels-for-PIRQs-in-system-cor.patch Patch120: 0024-PM-hibernate-update-the-resume-offset-on-SNAPSHOT_SE.patch Patch121: 0025-Not-for-upstream-PM-hibernate-Speed-up-hibernation-b.patch Patch122: 0026-xen-blkfront-resurrect-request-based-mode.patch Patch123: 0027-xen-blkfront-add-persistent_grants-parameter.patch Patch125: 0029-Revert-xen-dont-fiddle-with-event-channel-masking-in.patch Patch131: 0035-xen-blkfront-Fixed-blkfront_restore-to-remove-a-call.patch Patch133: 0037-x86-tsc-avoid-system-instability-in-hibernation.patch Patch152: 0056-Amazon-ENA-driver-Update-to-version-1.6.0.patch %if 0%{?kat_build:1} Patch1000: %{kat_build}.patch %endif BuildArch: x86_64 BuildRequires: bc BuildRequires: kbd BuildRequires: kmod-devel BuildRequires: glib-devel BuildRequires: xerces-c-devel BuildRequires: xml-security-c-devel BuildRequires: libdnet-devel BuildRequires: libmspack-devel BuildRequires: Linux-PAM-devel BuildRequires: openssl-devel BuildRequires: procps-ng-devel BuildRequires: audit-devel Requires: filesystem kmod Requires(post):(coreutils or toybox) Requires(postun):(coreutils or toybox) %define uname_r %{version}-%{release}-aws %description The Linux package contains the Linux kernel. %package devel Summary: Kernel Dev Group: System Environment/Kernel Requires: %{name} = %{version}-%{release} Requires: python3 gawk %description devel The Linux package contains the Linux kernel dev files %package drivers-gpu Summary: Kernel GPU Drivers Group: System Environment/Kernel Requires: %{name} = %{version}-%{release} %description drivers-gpu The Linux package contains the Linux kernel drivers for GPU %package sound Summary: Kernel Sound modules Group: System Environment/Kernel Requires: %{name} = %{version}-%{release} %description sound The Linux package contains the Linux kernel sound support %package docs Summary: Kernel docs Group: System Environment/Kernel Requires: python3 %description docs The Linux package contains the Linux kernel doc files %ifarch x86_64 %package oprofile Summary: Kernel driver for oprofile, a statistical profiler for Linux systems Group: System Environment/Kernel Requires: %{name} = %{version}-%{release} %description oprofile Kernel driver for oprofile, a statistical profiler for Linux systems %endif %package tools Summary: This package contains the 'perf' performance analysis tools for Linux kernel Group: System/Tools Requires: %{name} = %{version}-%{release} Requires: audit %description tools This package contains the 'perf' performance analysis tools for Linux kernel. %prep %setup -q -n linux-%{version} %patch0 -p1 %patch1 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 %patch13 -p1 %patch24 -p1 %patch26 -p1 %patch28 -p1 %patch29 -p1 %patch30 -p1 %patch31 -p1 %patch32 -p1 %patch101 -p1 %patch102 -p1 %patch103 -p1 %patch105 -p1 %patch106 -p1 %patch107 -p1 %patch108 -p1 %patch109 -p1 %patch110 -p1 %patch111 -p1 %patch112 -p1 %patch113 -p1 %patch114 -p1 %patch115 -p1 %patch116 -p1 %patch117 -p1 %patch118 -p1 %patch119 -p1 %patch120 -p1 %patch121 -p1 %patch122 -p1 %patch123 -p1 %patch125 -p1 %patch131 -p1 %patch133 -p1 %patch152 -p1 %if 0%{?kat_build:1} %patch1000 -p1 %endif %build make mrproper %ifarch x86_64 cp %{SOURCE1} .config arch="x86_64" archdir="x86" %endif sed -i 's/CONFIG_LOCALVERSION="-aws"/CONFIG_LOCALVERSION="-%{release}-aws"/' .config make LC_ALL= oldconfig make VERBOSE=1 KBUILD_BUILD_VERSION="1-photon" KBUILD_BUILD_HOST="photon" ARCH=${arch} %{?_smp_mflags} make -C tools perf %define __modules_install_post \ for MODULE in `find %{buildroot}/lib/modules/%{uname_r} -name *.ko` ; do \ ./scripts/sign-file sha512 certs/signing_key.pem certs/signing_key.x509 $MODULE \ rm -f $MODULE.{sig,dig} \ xz $MODULE \ done \ %{nil} # We want to compress modules after stripping. Extra step is added to # the default __spec_install_post. %define __spec_install_post\ %{?__debug_package:%{__debug_install_post}}\ %{__arch_install_post}\ %{__os_install_post}\ %{__modules_install_post}\ %{nil} %install install -vdm 755 %{buildroot}/etc install -vdm 755 %{buildroot}/boot install -vdm 755 %{buildroot}%{_defaultdocdir}/%{name}-%{uname_r} install -vdm 755 %{buildroot}/usr/src/%{name}-headers-%{uname_r} install -vdm 755 %{buildroot}/usr/lib/debug/lib/modules/%{uname_r} make INSTALL_MOD_PATH=%{buildroot} modules_install %ifarch x86_64 # Verify for build-id match # We observe different IDs sometimes # TODO: debug it ID1=`readelf -n vmlinux | grep "Build ID"` ./scripts/extract-vmlinux arch/x86/boot/bzImage > extracted-vmlinux ID2=`readelf -n extracted-vmlinux | grep "Build ID"` if [ "$ID1" != "$ID2" ] ; then echo "Build IDs do not match" echo $ID1 echo $ID2 exit 1 fi install -vm 644 arch/x86/boot/bzImage %{buildroot}/boot/vmlinuz-%{uname_r} %endif # Restrict the permission on System.map-X file install -vm 400 System.map %{buildroot}/boot/System.map-%{uname_r} install -vm 644 .config %{buildroot}/boot/config-%{uname_r} cp -r Documentation/* %{buildroot}%{_defaultdocdir}/%{name}-%{uname_r} install -vm 644 vmlinux %{buildroot}/usr/lib/debug/lib/modules/%{uname_r}/vmlinux-%{uname_r} # `perf test vmlinux` needs it ln -s vmlinux-%{uname_r} %{buildroot}/usr/lib/debug/lib/modules/%{uname_r}/vmlinux cat > %{buildroot}/boot/%{name}-%{uname_r}.cfg << "EOF" # GRUB Environment Block photon_cmdline=init=/lib/systemd/systemd ro loglevel=3 quiet no-vmw-sta nvme_core.io_timeout=4294967295 photon_linux=vmlinuz-%{uname_r} photon_initrd=initrd.img-%{uname_r} EOF # Register myself to initramfs mkdir -p %{buildroot}/%{_localstatedir}/lib/initramfs/kernel cat > %{buildroot}/%{_localstatedir}/lib/initramfs/kernel/%{uname_r} << "EOF" --add-drivers "tmem xen-scsifront xen-blkfront xen-acpi-processor xen-evtchn xen-gntalloc xen-gntdev xen-privcmd xen-pciback xenfs hv_utils hv_vmbus hv_storvsc hv_netvsc hv_sock hv_balloon cn" EOF # Cleanup dangling symlinks rm -rf %{buildroot}/lib/modules/%{uname_r}/source rm -rf %{buildroot}/lib/modules/%{uname_r}/build find . -name Makefile* -o -name Kconfig* -o -name *.pl | xargs sh -c 'cp --parents "$@" %{buildroot}/usr/src/%{name}-headers-%{uname_r}' copy find arch/${archdir}/include include scripts -type f | xargs sh -c 'cp --parents "$@" %{buildroot}/usr/src/%{name}-headers-%{uname_r}' copy find $(find arch/${archdir} -name include -o -name scripts -type d) -type f | xargs sh -c 'cp --parents "$@" %{buildroot}/usr/src/%{name}-headers-%{uname_r}' copy find arch/${archdir}/include Module.symvers include scripts -type f | xargs sh -c 'cp --parents "$@" %{buildroot}/usr/src/%{name}-headers-%{uname_r}' copy %ifarch x86_64 # CONFIG_STACK_VALIDATION=y requires objtool to build external modules install -vsm 755 tools/objtool/objtool %{buildroot}/usr/src/%{name}-headers-%{uname_r}/tools/objtool/ install -vsm 755 tools/objtool/fixdep %{buildroot}/usr/src/%{name}-headers-%{uname_r}/tools/objtool/ %endif cp .config %{buildroot}/usr/src/%{name}-headers-%{uname_r} # copy .config manually to be where it's expected to be ln -sf "/usr/src/%{name}-headers-%{uname_r}" "%{buildroot}/lib/modules/%{uname_r}/build" find %{buildroot}/lib/modules -name '*.ko' -print0 | xargs -0 chmod u+x # disable (JOBS=1) parallel build to fix this issue: # fixdep: error opening depfile: ./.plugin_cfg80211.o.d: No such file or directory # Linux version that was affected is 4.4.26 make -C tools JOBS=1 DESTDIR=%{buildroot} prefix=%{_prefix} perf_install %include %{SOURCE2} %include %{SOURCE3} %post /sbin/depmod -aq %{uname_r} ln -sf %{name}-%{uname_r}.cfg /boot/photon.cfg %post drivers-gpu /sbin/depmod -aq %{uname_r} %post sound /sbin/depmod -aq %{uname_r} %ifarch x86_64 %post oprofile /sbin/depmod -aq %{uname_r} %endif %files %defattr(-,root,root) /boot/System.map-%{uname_r} /boot/config-%{uname_r} /boot/vmlinuz-%{uname_r} %config(noreplace) /boot/%{name}-%{uname_r}.cfg %config %{_localstatedir}/lib/initramfs/kernel/%{uname_r} %defattr(0644,root,root) /lib/modules/%{uname_r}/* %exclude /lib/modules/%{uname_r}/build %exclude /lib/modules/%{uname_r}/kernel/drivers/gpu %exclude /lib/modules/%{uname_r}/kernel/sound %ifarch x86_64 %exclude /lib/modules/%{uname_r}/kernel/arch/x86/oprofile/ %endif %files docs %defattr(-,root,root) %{_defaultdocdir}/%{name}-%{uname_r}/* %files devel %defattr(-,root,root) /lib/modules/%{uname_r}/build /usr/src/%{name}-headers-%{uname_r} %files drivers-gpu %defattr(-,root,root) %exclude /lib/modules/%{uname_r}/kernel/drivers/gpu/drm/cirrus/ /lib/modules/%{uname_r}/kernel/drivers/gpu %files sound %defattr(-,root,root) /lib/modules/%{uname_r}/kernel/sound %ifarch x86_64 %files oprofile %defattr(-,root,root) /lib/modules/%{uname_r}/kernel/arch/x86/oprofile/ %endif %files tools %defattr(-,root,root) /usr/libexec %exclude %{_libdir}/debug %ifarch x86_64 /usr/lib64/traceevent %endif %{_bindir} /etc/bash_completion.d/* /usr/share/perf-core/strace/groups/file /usr/share/doc/* %{_libdir}/perf/examples/bpf/* %{_libdir}/perf/include/bpf/* %changelog * Thu May 23 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.40-3 - Fix CVE-2019-11191 by deprecating a.out file format support. * Tue May 14 2019 Keerthana K <keerthanak@vmware.com> 4.19.40-2 - Fix to parse through /boot folder and update symlink (/boot/photon.cfg) if - mulitple kernels are installed and current linux kernel is removed. * Tue May 07 2019 Ajay Kaher <akaher@vmware.com> 4.19.40-1 - Update to version 4.19.40 * Fri Mar 29 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-2 - Fix CVE-2019-10125 * Wed Mar 27 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.32-1 - Update to version 4.19.32 * Thu Mar 14 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.29-1 - Update to version 4.19.29 * Tue Mar 05 2019 Ajay Kaher <akaher@vmware.com> 4.19.26-1 - Update to version 4.19.26 * Thu Feb 21 2019 Him Kalyan Bordoloi <bordoloih@vmware.com> 4.19.15-2 - Fix CVE-2019-8912 * Tue Jan 15 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.15-1 - Update to version 4.19.15 * Mon Jan 07 2019 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.6-2 - Enable additional security hardening options in the config. * Mon Dec 10 2018 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.6-1 - Update to version 4.19.6 - Enable EFI in config-aws to support kernel signing. * Mon Dec 10 2018 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.1-3 - Set nvme io_timeout to maximum in kernel cmdline. * Wed Nov 14 2018 Ajay Kaher <akaher@vmware.com> 4.19.1-2 - Adding BuildArch * Tue Nov 06 2018 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.19.1-1 - Update to version 4.19.1 * Mon Oct 22 2018 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 4.18.9-1 - Update to version 4.18.9 * Mon Oct 08 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.67-2 - Add enhancements from Amazon. * Wed Sep 19 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.67-1 - Update to version 4.14.67 * Tue Sep 18 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.54-4 - Add rdrand-based RNG driver to enhance kernel entropy. * Sun Sep 02 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.54-3 - Add full retpoline support by building with retpoline-enabled gcc. * Thu Aug 30 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.54-2 - Apply out-of-tree patches needed for AppArmor. * Mon Jul 09 2018 Him Kalyan Bordoloi <bordoloih@vmware.com> 4.14.54-1 - Update to version 4.14.54 * Thu Feb 22 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 4.14.8-1 - First build based on linux.spec and config. No AWS-specific patches yet.